01-28-2026 03:38 AM
01-28-2026 03:50 AM
Hi @L.Yalezo ,
In the Palo Alto ecosystem, the Default Trusted Certificate Authorities store is historically updated via major PAN-OS releases (e.g., moving from 10.2.x to 11.1.x or 11.2.x).
PAN-OS Updates: This is the primary vehicle for permanent root store changes. Palo Alto usually syncs their default store with the Mozilla/Google root programs during the development of a new maintenance or feature release.
It will likely appear in a future release of the 11.2 or 12.0 trains.
Manual import is a workaround to address the issue.
Kind regards,
01-28-2026 04:20 AM
Hi @kiwi
Thank you for the prompt feedback.
It’s possible that this root certificate, along with others, will be included in future releases of the 11.2 or 12.x trains, pending Palo Alto’s vetting process given that they are fairly new. According to this blog: https://blog.bressem.com/2025/11/palo-alto-is-missing-the-new-sectigo-root-cas/ this root certificate is still missing in versions 11.2.7-h4, 11.2.10 and 12.1.3-h1.
I was wondering if perhaps there are avenues to submit a feature request for including this root certificate, like one would do when requesting a reclassification of an application.
Many thanks.
01-28-2026 08:07 PM
Hi @L.Yalezo ,
Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this.
You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs.
02-05-2026 09:05 AM - edited 02-06-2026 06:33 AM
@JayGolf wrote:
Hi @L.Yalezo ,
Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this.
You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs.
There is a FR for this, (which is NSFR-I-21203)...At least I'm told there was and that my company was added to the FR. I'll look for it and share it here.
That said this is something that Palo know about for years and something I've been complaining about to palo for the past 5+ years. It's so bad that a whole repo process was setup to solve this issue Palo has ignored.
https://github.com/PaloAltoNetworks/pan-chainguard
There is partial good news. In 12.1.2 Palo is trying to solve the missing intermediate cert issue as PAN-OS will attempt to dynamically download missing intermediate certificates (No current solve for roots, other than the code upgrade.)
Automatic Retrieval of Intermediate Certificates Using AIA
"We introduced a mechanism to fetch intermediate certificates via the AIA extension.
This mechanism can be toggled on/off by a new Decryption Profile setting: “Automatically Fetch Intermediate Certificates”
As part of decryption, when we encounter a server certificate with an incomplete chain, and the AIA CA Issuers extension is present (RFC5280), we will attempt to download an Intermediate CA certificate from the specified URL.
If successful, we cache the intermediate certificate for up to 1 week and use it to validate future traffic." *Caveats: The first session will show untrusted until the intermediate certificate(s) have been fetched*
Note:
This feature must be enabled on a Decryption Profile (“Automatically Fetch Intermediate Certificates”)
The intermediate certificate cache itself is only present on firewalls (not Panorama or SCM)
Panorama and SCM can only enable/disable the feature
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
